NetFlow Field Types and Database Formats
Introduction
This chapter describes the fields contained in NetFlow records (NFR). It also details the formats and field contents of NetFlow Records data tables:
•
NetFlow Field Types
•Database Tables: Formats and Field Contents
NetFlow Field Types
The following sections detail the different types of NetFlow fields:
•NetFlow Field Types for RPT_USAGE_NF Table
•NetFlow Field Types for RPT_TRANSACTION_NF
•NetFlow Field Types for RPT_GLB_USAGE_NF Table:
•NetFlow Field Types for CONF_TZ_OFFSET_NF Table
•NetFlow Field Types for NF_INI_VALUES Table
NetFlow Field Types for RPT_USAGE_NF Table
Usage Records are records of the different type of applications running over a specific interface. The operator can use Usage records to monitor how much bandwidth the different applications use. The Usage Records show this application usage over a specific time period, the peak and average usages, and usage for a specific application type.
Table A-1 describes NetFlow Field Types for RPT_USAGE_NF Table:
Table A-1 Summary of NetFlow Field Types for RPT_USAGE_NF Table
|
|
|
|
|
time_stamp |
- |
TIMESTAMP |
DB Insertion timestamp value |
head_time_stamp |
- |
INT32 |
Packet timestamp from ASR1K |
head_source_id |
- |
INT32 |
Contains the IP address of the Cisco ASR1K platform that generated the NFR |
class_id |
51 |
UINT32 |
Reserved for future use. |
application_id |
95 |
INT32 |
The unique id for application |
ingressInterface |
10 |
UINT32 |
The index of the IP interface where packets of this Flow are being received. |
egressInterface |
14 |
UINT32 |
The index of the IP interface where packets of this Flow are being sent. |
flowDirection |
61 |
UINT8 |
The direction of the Flow observed at the Observation Point. There are only two values defined(Ingress/Egress). |
flowStartSysUpTime |
22 |
UINT32 |
The relative timestamp of the first packet of this Flow. It indicates the number of milliseconds since the last (re-)initialization of the IPFIX Device (sysUpTime). |
flowEndSysUpTime |
21 |
UINT32 |
The relative timestamp of the last packet of this Flow. It indicates the number of milliseconds since the last (re-)initialization of the IPFIX Device (sysUpTime) |
packetDeltaCount |
2 |
UINT64 |
The number of incoming packets since the previous report (if any) for this Flow at the Observation Point. |
in_bytes |
3 |
UINT64 |
Total number bytes received since the previous report (if any) for this Flow at the Observation Point. |
connectionCountNew |
278 |
UINT 32 |
This information element counts the number of TCP or UDP connections which were opened during the observation period. The observation period may be specified by the flow start and end timestamps. |
connectionSumDuration |
279 |
UINT64 |
This information element aggregates the total time in seconds for all of the TCP or UDP connections which were in use during the observation period. For example if there are 5 concurrent connections each for 10 seconds, the value would be 50 s. |
ingressVRFID |
234 |
UINT32 |
A unique identifier of the VRFname where the packets of this flow are being received. This identifier is unique per Metering Process |
ipVersion |
60 |
UINT8 |
The IP version field in the IP packet header. |
NetFlow Field Types for RPT_TRANSACTION_NF
A transaction is a set of logical exchanges between endpoints. There is normally one transaction within a flow. The Transaction Record monitors the traffic at transaction levels. Transaction Records provide a detailed analysis of the traffic flows, including extracted Layer 7 fields. Due to the high load of transactions these records are sample or filtered. Transaction Records are bound to the input and output directions of the network side interfaces. These Transaction Records allow the system to capture each unidirectional flow once.
Table A-2 describes NetFlow Field Types for RPT_TRANSACTION_NF Table:
Table A-2 NetFlow Field Types for RPT_TRANSACTION_NF
|
|
|
|
|
time_stamp |
- |
TIMESTAMP |
DB Insertion timestamp value |
head_time_stamp |
- |
INT32 |
Packet timestamp from ASR1K |
head_src_id |
- |
INT32 |
Contains the IP address of the Cisco ASR1K platform that generated the NFR |
conn_tx_id |
280 |
UINT64 |
A unique ID for the transaction |
application_id |
95 |
INT32 |
The unique id for application |
ingressInterface |
10 |
UINT32 |
The index of the IP interface where packets of this Flow are being received. |
egressInterface |
14 |
UINT32 |
The index of the IP interface where packets of this Flow are being sent. |
flowDirection |
61 |
UINT8 |
The direction of the Flow observed at the Observation Point. There are only two values defined(Ingress/Egress). |
flowStartSysUpTime |
22 |
UINT32 |
The relative timestamp of the first packet of this Flow. It indicates the number of milliseconds since the last (re-)initialization of the IPFIX Device (sysUpTime). |
flowEndSysUpTime |
21 |
UINT32 |
The relative timestamp of the last packet of this Flow. It indicates the number of milliseconds since the last (re-)initialization of the IPFIX Device (sysUpTime) |
packetDeltaCount |
2 |
UINT 64 |
The number of incoming packets since the previous report (if any) for this Flow at the Observation Point. |
in_bytes |
3 |
UINT64 |
Total number bytes received since the previous report (if any) for this Flow at the Observation Point. |
src_ipv4_addr |
8 |
UINT32 |
The IPv4 source address in the IP packet header. |
src_port |
7 |
UINT16 |
The source port identifier in the transport header. |
dst_ipv4_addr |
12 |
UINT32 |
The IPv4 destination address in the IP packet header. |
dst_port |
11 |
UINT16 |
The destination port identifier in the transport header. |
protocol_id |
4 |
UINT8 |
The value of the protocol number in the IP packet header. |
flow_id |
48 |
UINT64 |
Reserved for future use. |
flow_end_reason |
136 |
UINT8 |
The reason for Flow termination. |
biflow_direction |
239 |
UINT8 |
A description of the direction assignment method used to assign the Biflow Source and Destination. |
ingressVRFID |
234 |
UINT32 |
A unique identifier of the VRFname where the packets of this flow are being received. This identifier is unique per Metering Process |
ipVersion |
60 |
UINT8 |
The IP version field in the IP packet header. |
sourceIPv6Address |
27 |
UINT32 |
The IPv6 source address in the IP packet header. |
destinationIPv6Address |
28 |
UINT32 |
The IPv6 destination address in the IP packet header. |
NetFlow Field Types for RPT_GLB_USAGE_NF Table:
Global usage records are the records of many applications running over an interface. You can use them to monitor the total traffic over the network, monitor the usage of all the applications over a specific time period, or monitor the peak and average usages of all the applications over an interface.
Table A-3 describes NetFlow Field Types for RPT_GLB_USAGE_NF Table:
Table A-3 NetFlow Field Types for RPT_GLB_USAGE_NF Table
|
|
|
|
|
time_stamp |
- |
TIMESTAMP |
DB Insertion timestamp value |
head_time_stamp |
- |
INT32 |
Packet timestamp from ASR1K |
head_source_id |
- |
INT32 |
Contains the IP address of the Cisco ASR1K platform that generated the NFR |
class_id |
51 |
UINT32 |
Reserved for future use. |
ingressInterface |
10 |
UINT32 |
The index of the IP interface where packets of this Flow are being received. |
egressInterface |
14 |
UINT32 |
The index of the IP interface where packets of this Flow are being sent. |
flowDirection |
61 |
UINT8 |
The direction of the Flow observed at the Observation Point. There are only two values defined(Ingress/Egress). |
flowStartSysUpTime |
22 |
UINT32 |
The relative timestamp of the first packet of this Flow. It indicates the number of milliseconds since the last (re-)initialization of the IPFIX Device (sysUpTime). |
flowEndSysUpTime |
21 |
UINT32 |
The relative timestamp of the last packet of this Flow. It indicates the number of milliseconds since the last (re-)initialization of the IPFIX Device (sysUpTime) |
packetDeltaCount |
2 |
UINT 64 |
The number of incoming packets since the previous report (if any) for this Flow at the Observation Point. |
in_bytes |
3 |
UINT64 |
Total number bytes received since the previous report (if any) for this Flow at the Observation Point. |
connectionCountNew |
278 |
UINT32 |
This information element counts the number of TCP or UDP connections which were opened during the observation period. The observation period may be specified by the flow start and end timestamps. |
connectionSumDuration |
279 |
UINT 64 |
This information element aggregates the total time in seconds for all of the TCP or UDP connections which were in use during the observation period. For example if there are 5 concurrent connections each for 10 seconds, the value would be 50 s. |
ingressVRFID |
234 |
UINT32 |
An unique identifier of the VRFname where the packets of this flow are being received. This identifier is unique per Metering Process. |
ipVersion |
60 |
UINT8 |
The IP version field in the IP packet header. |
NetFlow Field Types for CONF_TZ_OFFSET_NF Table
Table A-4 describes NetFlow Field Types for CONF_TZ_OFFSET_NF Table:
Table A-4 NetFlow Field Types for CONF_TZ_OFFSET_NF Table
|
|
|
|
time_stamp |
TIMESTAMP |
DB insertion timestamp value |
offset_min |
INT16 |
Offset value in minutes |
NetFlow Field Types for NF_INI_VALUES Table
Table A-5 describes NetFlow Field Types for NF_INI_VALUES Table:
:
Table A-5 NetFlow Field Types for NF_INI_VALUES Table
|
|
|
|
time_stamp |
TIMESTAMP |
DB insertion timestamp value |
nf_ip |
STRING |
Identification of the ASR1K platform where these values were applied. |
value_type |
INT16 |
Key Name/Value family type. The possible values are: 5 -Source address 32-bit / dotted notation 101 - Input interface ID / Input Interface Name 102 - Input interface ID / Input Interface Description 103 - Output interface ID / Output Interface Name 104 - Output interface ID / Output Interface Description 111 -Application ID / Application Name 112 -Application ID / Application Description 114 - Application ID / Category Name 115 - Application ID / Sub - Category Name 116 - Application ID / Application Group 117 - Application ID / Attribute: p2p-technology 118 - Application ID / Attribute: tunnel 119- Application ID / Attribute: encrypted 131 - Sampler ID / Sampler Info |
value_key |
STRING |
Key name. For example: Gold, Silver |
value |
INT32 |
Numeric reference. |
Database Tables: Formats and Field Contents
Each NFR is sent to the Cisco Collection Manager. On the Collection Manager, adapters convert the NFRs and store them in database tables. This section details these tables and their columns (field names and types).
The following sections detail the different types of database tables:
•Table CONF_TZ_OFFSET_NF
•NetFlow Field Types for RPT_USAGE_NF Table
•NetFlow Field Types for RPT_TRANSACTION_NF Table
•Columns of Table RPT_GLB_USAGE_NF
•NetFlow Field Types for NF_INI_VALUES Table
Table CONF_TZ_OFFSET_NF
Database table CONF_TZ_OFFSET_NF contains the time-zone offset in minutes for the clock of each Cisco Series ASR 1000 Series router as configured by the select-sce-tz.sh script.
Table Table A-6 lists the columns of table CONF_TZ_OFFSET_NF.
Table A-6 CONF_TZ_OFFSET_NF Table Columns
|
|
|
TIME_STAMP |
TIMESTAMP |
OFFSET_MIN |
INT16 |
NetFlow Field Types for RPT_USAGE_NF Table
Table A-7 RPT_USAGE_NF Table Field Types
|
|
|
TIME_STAMP |
TIMESTAMP |
NF_HEAD_TIME_STAMP |
INT32 |
NF_HEAD_SOURCE_ID |
INT32 |
NF_CLASS_ID |
UINT32 |
NF_APPLICATION_ID |
INT32 |
NF_INGRESS_IF |
UINT32 |
NF_EGRESS_IF |
UINT32 |
NF_FLOW_DIRECTION |
UINT8 |
NF_FLOW_START_SYSUP_TIME |
UINT32 |
NF_FLOW_END_SYSUP_TIME |
UINT32 |
NF_IN_PKTS |
UINT64 |
NF_IN_BYTES |
UINT64 |
NF_CONNECTION_COUNT_NEW |
UINT 32 |
NF_CONN_SUM_DURATION |
UINT64 |
NF_INGRESS_VRF_ID |
UINT32 |
NF_IP_VERSION |
UINT8 |
NetFlow Field Types for RPT_TRANSACTION_NF Table
Table A-8 RPT_TRANSACTION_NF Table Field Types
|
|
|
TIME_STAMP |
TIMESTAMP |
NF_HEAD_TIME_STAMP |
INT32 |
NF_HEAD_SRC_ID |
INT32 |
NF_CONN_TX_ID |
UINT64 |
NF_INGRESS_IF |
UINT32 |
NF_EGRESS_IF |
UINT32 |
NF_FLOW_DIRECTION |
UINT8 |
NF_FLOW_START_SYSUP_TIME |
UINT32 |
NF_FLOW_END_SYSUP_TIME |
UINT32 |
NF_IN_PKTS |
UINT64 |
NF_IN_BYTES |
UINT64 |
NF_SRC_IPV4_ADDR |
UINT32 |
NF_SRC_PORT |
UINT16 |
NF_DST_IPV4_ADDR |
UINT32 |
NF_DST_PORT |
UINT16 |
NF_PROTOCOL_ID |
UINT8 |
NF_FLOW_ID |
UINT64 |
NF_FLOW_END_REASON |
UINT8 |
NF_BIFLOW_DIRECTION |
UINT8 |
NF_INGRESS_VRF_ID |
UINT32 |
NF_IP_VERSION |
UINT8 |
NF_SRC_IPV6_ADDR |
STRING |
NF_DST_IPV6_ADDR |
STRING |
Columns of Table RPT_GLB_USAGE_NF
Table A-9 RPT_GLB_USAGE_NF Table Columns
|
|
|
TIME_STAMP |
TIMESTAMP |
NF_HEAD_TIME_STAMP |
INT32 |
NF_HEAD_SOURCE_ID |
INT32 |
NF_APPLICATION_ID |
INT32 |
NF_INGRESS_IF |
UINT32 |
NF_EGRESS_IF |
UINT32 |
NF_FLOW_DIRECTION |
UINT8 |
NF_FLOW_START_SYSUP_TIME |
UINT32 |
NF_FLOW_END_SYSUP_TIME |
UINT32 |
NF_IN_PKTS |
UINT64 |
NF_IN_BYTES |
UINT64 |
NF_CONNECTION_COUNT_NEW |
UINT 32 |
NF_CONN_SUM_DURATION |
UINT64 |
NF_INGRESS_VRF_ID |
UINT32 |
NF_IP_VERSION |
UINT8 |
NetFlow Field Types for NF_INI_VALUES Table
Table A-10 NF_INI_VALUES Table NetFlow Field Types
|
|
|
TIME_STAMP |
TIMESTAMP |
NF_IP |
STRING |
VALUE_TYPE |
INT16 |
VALUE_KEY |
STRING |
VALUE |
INT32 |
Feedback